Solução

Planos

Recursos

Advisories

Empresa

Select Language



Contatar vendas

Fazer login

Teste gratuito

Select Language



Contatar vendas

Teste gratuito

Select Language





Advisories

Akaunting 3.1.21 - Stored XSS in delete confirmation modal

4,8

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Naveda

Summary

Full name

Akaunting 3.1.21 - Stored XSS in delete confirmation modal through unescaped model names

Code name

human

State

Public

Release date

22 de jun. de 2026

Affected product

Akaunting

Vendor

Akaunting

Affected version(s)

3.1.21

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.8

Exploit available

Yes

CVE ID(s)

CVE-2026-11942

Description

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name. When another authenticated user opens the delete confirmation dialog for that record, Akaunting builds the modal message from the stored name and renders it as HTML through Vue's v-html, causing attacker-controlled JavaScript to execute in the victim's browser session.

Vulnerability

Root cause

1. User-controlled Item names are accepted and persisted without HTML validation.

- app/Http/Requests/Common/Item.php:43-46 validates name only as required|string.
- app/Models/Common/Item.php:38 marks name as fillable.
- app/Jobs/Common/CreateItem.php:20-22 persists $this->request->all().
- app/Jobs/Common/UpdateItem.php:18-20 updates the model from $this->request->all().

2. The delete action uses the stored model name in the confirmation message.

- app/Models/Common/Item.php:190-222 exposes a delete line action for Items through items.destroy.
- resources/views/common/items/index.blade.php:134-136 renders the reusable table actions component.
- resources/views/components/table/actions.blade.php:107-116 renders delete actions through <x-delete-link>.

3. DeleteLink::getMessage() performs incomplete output encoding.

    $name = addslashes($this->model->{$this->modelName});
    $name = Str::replace(['\"', '"'], '&quot;', $name);
    $message = trans('general.delete_confirm', [
        'name' => '<strong>' . $name . '</strong>',
        'type' => $type,
    ]);

    $name = addslashes($this->model->{$this->modelName});
    $name = Str::replace(['\"', '"'], '&quot;', $name);
    $message = trans('general.delete_confirm', [
        'name' => '<strong>' . $name . '</strong>',
        'type' => $type,
    ]);

    $name = addslashes($this->model->{$this->modelName});
    $name = Str::replace(['\"', '"'], '&quot;', $name);
    $message = trans('general.delete_confirm', [
        'name' => '<strong>' . $name . '</strong>',
        'type' => $type,
    ]);

    $name = addslashes($this->model->{$this->modelName});
    $name = Str::replace(['\"', '"'], '&quot;', $name);
    $message = trans('general.delete_confirm', [
        'name' => '<strong>' . $name . '</strong>',
        'type' => $type,
    ]);

The transformation protects double quotes in the initial HTML attribute context, but it does not encode <, >, event-handler attributes, or other HTML syntax. Payloads such as <img src=x onerror=alert(document.domain)> remain present in the generated message.

4. The Blade view emits the message as trusted HTML in a data attribute.

data-message="{!! $message !!}"

- Relevant code: resources/views/components/delete-link.blade.php:16-25

5. The frontend reads the attribute and renders the message with v-html.

    let message = document.getElementById(delete_id).getAttribute('data-message');
    this.confirmDelete(action, title, message, button_cancel, button_delete);

    <div class="py-1 px-5" v-html="message"></div>

    let message = document.getElementById(delete_id).getAttribute('data-message');
    this.confirmDelete(action, title, message, button_cancel, button_delete);

    <div class="py-1 px-5" v-html="message"></div>

    let message = document.getElementById(delete_id).getAttribute('data-message');
    this.confirmDelete(action, title, message, button_cancel, button_delete);

    <div class="py-1 px-5" v-html="message"></div>

    let message = document.getElementById(delete_id).getAttribute('data-message');
    this.confirmDelete(action, title, message, button_cancel, button_delete);

    <div class="py-1 px-5" v-html="message"></div>

Relevant code: resources/assets/js/mixins/global.js:372-395 and resources/assets/js/components/AkauntingModal.vue:28-30

PoC

1. Navigate to: http://localhost:8088/1/common/items/create
2. Create a new Item with the following Name:
CVE-XSS-ITEM-"><img src=x onerror=alert(document.domain)>
3. Complete the remaining required fields and save the Item.
4. Navigate to: http://localhost:8088/1/common/items
5. Open the row actions for the created Item and click the delete action.

Evidence of exploitation

Video of exploitation
Static evidence

Our security policy

We have reserved the ID CVE-2026-11942 to refer to this issue from now on.

System Information

Akaunting
Version: 3.1.21
Operating System: Any

References

Github Repository: https://github.com/akaunting/akaunting
Security: https://github.com/akaunting/akaunting/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Naveda from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



10 de jun. de 2026

Vulnerability discovered



10 de jun. de 2026

Vendor contacted



22 de jun. de 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks